Ken wrote: > >If arbitrary means "what the user put into their profile", > >yes, but we can't prevent that. Is there a way to get > >mhstore to execute arbitrary code provided by the message? > > It does occur to me that there might be security concerns with using > %a with '|', depending on shell quoting, etc etc (%a inserts all of > the Content-Type parameters). I don't know how common that is.
Again, that's an issue with '|', not -auto. I'll remove the recommendation in the man page not to use -auto, and add one to not use %a with '|'. That seems like an odd combination, though maybe it'd be useful for things like responding to calendar requests. Though I wouldn't do that from mhstore. David _______________________________________________ Nmh-workers mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/nmh-workers
